Nisarga Adhikary, 19, claims he hacked CBSE marking portal, warned board earlier
A teen cybersecurity researcher's blog post alleging serious flaws in CBSE's On-Screen Marking portal has triggered concern online after entrepreneur Deedy Das amplified the issue on X. The researcher says he alerted CERT-In months ago, but several vulnerabilities allegedly remained active in a system handling sensitive board exam evaluation data.
At a time when lakhs of CBSE students are already struggling with revaluation portal crashes, blurred answer sheet complaints, repeated deadline extensions and even incorrect marks, a new controversy has erupted online around the security of the board's digital evaluation systems.
A post by tech entrepreneur Deedy Das has pushed a months-old cybersecurity disclosure involving CBSE into the spotlight after 19-year-old researcher Nisarga Adhikary claimed he found major vulnerabilities inside the board's On-Screen Marking portal and reported them to CERT-In back in February.
In a detailed blog post published on his website and shared on X on May 22, Nisarga claimed he discovered multiple critical vulnerabilities inside CBSE's On-Screen Marking (OSM) portal back in February and reported them to CERT-In. According to him, several of those issues allegedly remained unpatched for months.
The issue gained wider attention after Deedy Das posted about it on X on May 26, calling it "an absolute embarrassment" and alleging the vulnerabilities could have allowed someone to "view and CHANGE any students' marks".
At the time of writing, CBSE has not publicly confirmed the claims made in the blog post or whether any student marks were actually altered.
But the allegations are drawing extra attention because they arrive during one of CBSE's most chaotic post-result periods in recent years.
HOW A CLASS 12 STUDENT ENDED UP INSIDE CBSE'S MARKING SYSTEM
Nisarga says the whole thing started with curiosity.
"CBSE rolled out OSM and I noticed the portal link was completely public," he wrote.
The OSM system is used for digital evaluation of scanned board exam answer sheets. Instead of physically checking papers, evaluators log into the portal and assess scripts online.
According to Nisarga, once he opened the site and started inspecting the backend requests, he realised the problems were far bigger than expected.
"The login page asks for three things: a user ID, a school code, and a password, followed by an OTP step," he wrote. "Nothing about that screen looks unusual. The problems only showed up once I stopped looking at the page and started looking at the code behind it."
What followed in the blog reads like a list of mistakes cybersecurity experts warn developers never to make.
'WHAT I FOUND INSIDE WAS HORRIBLE'
"I opened the On-Screen Marking portal and started playing around with the HTTP requests and everything else I could see," he wrote.
According to his blog, the deeper he dug into the platform, the more serious the alleged flaws became.
One of the biggest claims involved what he described as a hardcoded "master password" allegedly sitting openly inside a publicly accessible JavaScript bundle used by the website.
"That bundle is served publicly. Anyone can request it, logged in or not. So I pretty-printed it and started reading. What I found inside was horrible," he wrote.
According to Nisarga, the password was allegedly visible directly inside the frontend code itself.
"Not a hash, not a token reference, but the literal password string, baked directly into the client-side JavaScript that gets shipped to every visitor's browser."
He claimed that entering this password allegedly bypassed the OTP system entirely and allowed access to examiner accounts.
"To log in as a specific examiner, all an attacker needs is a target's user ID and school code, both of which are publicly obtainable," he wrote.
But according to the blog, the OTP system itself allegedly had major weaknesses too.
"The OTP step turned out to be pure theatre," Nisarga wrote.
He claimed the OTP was allegedly sent back inside the server response itself, while the browser locally checked whether the entered OTP matched.
"The secret you're supposed to prove you received is handed straight to your browser, and the browser grades its own test," he wrote.
According to his explanation, anyone inspecting the network requests could allegedly view the OTP directly.
"And because the comparison happens in client-side code, you can skip the form altogether and simply tell the app the check passed."
Then came the line from the blog that many cybersecurity users online began quoting: "A security control that runs on the attacker's machine isn't a control at all."
THE LOGIN WASN'T EVEN THE ONLY ISSUE
The blog claims the vulnerabilities extended far beyond passwords and OTPs.
According to Nisarga, several internal routes inside the Angular-based application allegedly had no proper route protection at all.
He claimed pages like "/dashboard", "/profile", "/evalscriptsview" and "/verificationdashboard" could allegedly be accessed by simply inserting dummy values into browser storage.
"The token is fake, the user is invented, and the app doesn't care," he wrote after demonstrating an example using browser console commands.
He also alleged that the system’s password reset mechanism failed to verify the old password before allowing a change.
"The current password is never verified," the blog states.
According to his explanation, combining this flaw with what he described as a "systemic IDOR vulnerability" could allegedly allow attackers to impersonate examiner accounts by changing stored IDs.
"That's a complete account takeover, with no credentials and no insider access," he wrote.
HE SAYS HE REPORTED IT ALL MONTHS AGO
One of the biggest reasons this story is drawing attention is not just the alleged vulnerabilities themselves, but the timeline.
Nisarga says he reported the issues to CERT-In immediately after discovering them in February.
"My first email laid out the master-password leak and the client-side OTP validation," he wrote.
According to the blog, CERT-In later asked for additional details and a screen recording, after which he allegedly sent walkthrough videos showing the authentication bypass and other flaws.
He then received what he described as a boilerplate acknowledgement email: "Thank you for reporting this incident to CERT-In. We have registered your complaint/incident under Ref: CERTIn-XXXXX."
Nisarga claims he followed up multiple times afterwards but did not receive further updates.
"It's honestly funny that most of the vulnerabilities I reported went unpatched for a long time, when I'd have fixed them in an hour or two if they were mine to fix," he wrote.
DEEDY DAS' POST PUT THE ISSUE INTO THE PUBLIC EYE
The issue remained largely confined to niche cybersecurity discussions until Deedy Das posted about it on X on Monday morning.
"This topic is close to me because not only is this the education system I went through, but 12 years ago and silently for 5yrs since, I'd written about and reported a much less severe vulnerability," he wrote.
He also highlighted the broader implications of the alleged flaws for students and exam systems.
"If there's any light at the end of the tunnel, it's that a 19yo who never went to college can do things 99% of top engineers couldn't figure out," he wrote.
The replies under the post quickly filled with reactions ranging from concern to anger.
"The code bug is bad. The response bug is worse," one user wrote.
Another commented: "A teenager found what institutions missed for years."
Others connected the controversy to wider frustrations around paper leaks, exam cancellations, portal failures and trust in digital education systems.
Some users, however, urged caution and pointed out that the claims have not yet been independently verified publicly by CBSE.
WHY THIS STORY FEELS BIGGER THAN JUST A TECH GLITCH
CBSE is affiliated with more than 33,000 schools in India and several hundred abroad. Its examination system impacts millions of students every year.
That scale is exactly why the story has unsettled so many people online.
For students, marks are not just numbers. They decide admissions, scholarships, cutoffs, careers and sometimes entire family expectations.
And this controversy lands at a time when trust in major exam systems is already fragile after repeated paper leak allegations and technical controversies involving different agencies.
Nisarga ended his blog with a warning that now feels much larger than one portal.
"These aren't advanced defences," he wrote. "They're the basics."
At a time when lakhs of CBSE students are already struggling with revaluation portal crashes, blurred answer sheet complaints, repeated deadline extensions and even incorrect marks, a new controversy has erupted online around the security of the board's digital evaluation systems.
A post by tech entrepreneur Deedy Das has pushed a months-old cybersecurity disclosure involving CBSE into the spotlight after 19-year-old researcher Nisarga Adhikary claimed he found major vulnerabilities inside the board's On-Screen Marking portal and reported them to CERT-In back in February.
In a detailed blog post published on his website and shared on X on May 22, Nisarga claimed he discovered multiple critical vulnerabilities inside CBSE's On-Screen Marking (OSM) portal back in February and reported them to CERT-In. According to him, several of those issues allegedly remained unpatched for months.
The issue gained wider attention after Deedy Das posted about it on X on May 26, calling it "an absolute embarrassment" and alleging the vulnerabilities could have allowed someone to "view and CHANGE any students' marks".
At the time of writing, CBSE has not publicly confirmed the claims made in the blog post or whether any student marks were actually altered.
But the allegations are drawing extra attention because they arrive during one of CBSE's most chaotic post-result periods in recent years.
HOW A CLASS 12 STUDENT ENDED UP INSIDE CBSE'S MARKING SYSTEM
Nisarga says the whole thing started with curiosity.
"CBSE rolled out OSM and I noticed the portal link was completely public," he wrote.
The OSM system is used for digital evaluation of scanned board exam answer sheets. Instead of physically checking papers, evaluators log into the portal and assess scripts online.
According to Nisarga, once he opened the site and started inspecting the backend requests, he realised the problems were far bigger than expected.
"The login page asks for three things: a user ID, a school code, and a password, followed by an OTP step," he wrote. "Nothing about that screen looks unusual. The problems only showed up once I stopped looking at the page and started looking at the code behind it."
What followed in the blog reads like a list of mistakes cybersecurity experts warn developers never to make.
'WHAT I FOUND INSIDE WAS HORRIBLE'
"I opened the On-Screen Marking portal and started playing around with the HTTP requests and everything else I could see," he wrote.
According to his blog, the deeper he dug into the platform, the more serious the alleged flaws became.
One of the biggest claims involved what he described as a hardcoded "master password" allegedly sitting openly inside a publicly accessible JavaScript bundle used by the website.
"That bundle is served publicly. Anyone can request it, logged in or not. So I pretty-printed it and started reading. What I found inside was horrible," he wrote.
According to Nisarga, the password was allegedly visible directly inside the frontend code itself.
"Not a hash, not a token reference, but the literal password string, baked directly into the client-side JavaScript that gets shipped to every visitor's browser."
He claimed that entering this password allegedly bypassed the OTP system entirely and allowed access to examiner accounts.
"To log in as a specific examiner, all an attacker needs is a target's user ID and school code, both of which are publicly obtainable," he wrote.
But according to the blog, the OTP system itself allegedly had major weaknesses too.
"The OTP step turned out to be pure theatre," Nisarga wrote.
He claimed the OTP was allegedly sent back inside the server response itself, while the browser locally checked whether the entered OTP matched.
"The secret you're supposed to prove you received is handed straight to your browser, and the browser grades its own test," he wrote.
According to his explanation, anyone inspecting the network requests could allegedly view the OTP directly.
"And because the comparison happens in client-side code, you can skip the form altogether and simply tell the app the check passed."
Then came the line from the blog that many cybersecurity users online began quoting: "A security control that runs on the attacker's machine isn't a control at all."
THE LOGIN WASN'T EVEN THE ONLY ISSUE
The blog claims the vulnerabilities extended far beyond passwords and OTPs.
According to Nisarga, several internal routes inside the Angular-based application allegedly had no proper route protection at all.
He claimed pages like "/dashboard", "/profile", "/evalscriptsview" and "/verificationdashboard" could allegedly be accessed by simply inserting dummy values into browser storage.
"The token is fake, the user is invented, and the app doesn't care," he wrote after demonstrating an example using browser console commands.
He also alleged that the system’s password reset mechanism failed to verify the old password before allowing a change.
"The current password is never verified," the blog states.
According to his explanation, combining this flaw with what he described as a "systemic IDOR vulnerability" could allegedly allow attackers to impersonate examiner accounts by changing stored IDs.
"That's a complete account takeover, with no credentials and no insider access," he wrote.
HE SAYS HE REPORTED IT ALL MONTHS AGO
One of the biggest reasons this story is drawing attention is not just the alleged vulnerabilities themselves, but the timeline.
Nisarga says he reported the issues to CERT-In immediately after discovering them in February.
"My first email laid out the master-password leak and the client-side OTP validation," he wrote.
According to the blog, CERT-In later asked for additional details and a screen recording, after which he allegedly sent walkthrough videos showing the authentication bypass and other flaws.
He then received what he described as a boilerplate acknowledgement email: "Thank you for reporting this incident to CERT-In. We have registered your complaint/incident under Ref: CERTIn-XXXXX."
Nisarga claims he followed up multiple times afterwards but did not receive further updates.
"It's honestly funny that most of the vulnerabilities I reported went unpatched for a long time, when I'd have fixed them in an hour or two if they were mine to fix," he wrote.
DEEDY DAS' POST PUT THE ISSUE INTO THE PUBLIC EYE
The issue remained largely confined to niche cybersecurity discussions until Deedy Das posted about it on X on Monday morning.
"This topic is close to me because not only is this the education system I went through, but 12 years ago and silently for 5yrs since, I'd written about and reported a much less severe vulnerability," he wrote.
He also highlighted the broader implications of the alleged flaws for students and exam systems.
"If there's any light at the end of the tunnel, it's that a 19yo who never went to college can do things 99% of top engineers couldn't figure out," he wrote.
The replies under the post quickly filled with reactions ranging from concern to anger.
"The code bug is bad. The response bug is worse," one user wrote.
Another commented: "A teenager found what institutions missed for years."
Others connected the controversy to wider frustrations around paper leaks, exam cancellations, portal failures and trust in digital education systems.
Some users, however, urged caution and pointed out that the claims have not yet been independently verified publicly by CBSE.
WHY THIS STORY FEELS BIGGER THAN JUST A TECH GLITCH
CBSE is affiliated with more than 33,000 schools in India and several hundred abroad. Its examination system impacts millions of students every year.
That scale is exactly why the story has unsettled so many people online.
For students, marks are not just numbers. They decide admissions, scholarships, cutoffs, careers and sometimes entire family expectations.
And this controversy lands at a time when trust in major exam systems is already fragile after repeated paper leak allegations and technical controversies involving different agencies.
Nisarga ended his blog with a warning that now feels much larger than one portal.
"These aren't advanced defences," he wrote. "They're the basics."
